photo by Gordon Joly
Bank robbers these days, at least successful ones, are much less prone to rely on a safe-cracker wearing a ski mask than a laptop and a list of stolen credentials.
Hackers are such a prevalent risk that many banks hire security firms to preemptively try to find holes in their cybersecurity. But up until now, most of the heists large enough to make headlines targeted the banks themselves or relied on phishing and other attacks designed to target individual, and ideally large, accounts. Many unsuccessful attacks also go unreported, according to regulators.
A breach earlier this month in the United Kingdom demonstrates a new tactic: a systematic attack stealing relatively small amounts from thousands of customers over the course of a weekend.
Tesco Bank, the banking arm of a major U.K. supermarket chain, said that about 40,000 accounts registered suspicious transactions over a 24-hour period, and about half of those accounts had money withdrawn. (That number was later revised downward to about 9,000.) All in all, the bank lost about 2.5 million pounds ($3 million), according to The Guardian. Benny Higgins, the bank’s chief executive, issued an apology to Tesco’s customers and emphasized that no personal customer data had been compromised.
The bank has released little detail so far, and the country’s National Cyber Security Center issued a statement urging patience while the agency pursued its investigation out of the public eye. It did, however, call the attack “unprecedented” in its nature and its scope. Politicians and observers have raised a variety of theories about the means and causes of the breach, including suggestions that compromised debit cards or the bank’s website may have been the point of entry. Regardless, it already seems clear that, whatever the in-point, the strategy was to target a large number of very ordinary, low-balance accounts.
The BBC spoke to Tesco customers who lost hundreds of pounds – amounts which were small by the standards of the financial industry but were massive by percentage of the overall account balances. These are the sort of everyday checking accounts whose owners might not reconcile a bank statement at all, instead simply relying on an ATM, bank website or smartphone app to tell them how much money is in their account.
Even when no theft is involved, this is not a great strategy for managing one’s money. An institution like Tesco may identify a problem and pledge to make all its customers whole – as Tesco has – but bank administrators might still miss some victims unless those who were targeted come forward proactively. Tesco texted customers (or at least those who opted in to text alerts) when it noted unusual activity on their accounts, and in a situation as large as this one, the bank will doubtless be especially careful in making sure transactions in the period in question were legitimate. But ultimately, the account holder is best-positioned to catch any suspicious account activity. Of course, if your checks unexpectedly bounce or you cannot get money from an ATM when you need cash at midnight, you are apt to notice a problem, even if you don’t regularly reconcile your accounts.
While fraudulent transactions ultimately get fixed at no direct cost to the account holder, here as in the U.K., the indirect cost and inconveniences can be considerable even when you stay on top of your finances. Some Tesco customers faced a wait of up to 48 hours to be made whole, which is a long time if you suddenly have only 2 pounds in your account (as one man told the BBC) or if you have a large automatic payment due, such as a credit card or mortgage payment. Even customers who hadn’t been targeted themselves faced the inconvenience of suspended online debit transactions while the bank investigated the breach. When you don’t keep an eye on your accounts, such problems can be even worse and take longer to resolve.
Another danger in not watching your accounts is missing unauthorized activity too small for the bank’s anti-fraud tools to easily identify. Some criminals make small, regular thefts over time; the best way to put a stop to this early is not to neglect your bank statements. It once seemed as if small accounts needn’t worry about hackers, because there was too little gain relative to the risk and effort necessary to crack through the bank’s security. Large accounts were the ones at risk. Those days appear to be over.
We don’t know exactly what happened at Tesco. But could it happen here? The only safe assumption is that it could.
So keep an eye on your accounts. Reconcile your statements; personal finance software makes this process easy. Question transactions you did not expect and watch out for small billings that may be someone trying to fly under the radar. The bank bears the risk, but you bear some of the responsibility.